You cannot fill out this field
Currency
EUR

GDPR

Privacy Policy


I. Basic Provisions and Identity of the Controller

1. The controller of personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR") is:

Patrik Oborný trading under the business name Hunter-deco Company ID (IČ): 07798601 Registered address: Zbýšov 176, 683 52 Křenovice, Czech Republic

(hereinafter the "Controller")

2. Contact details of the Controller:

3. The Controller has not appointed a Data Protection Officer, as no such obligation arises for the Controller (Article 37 GDPR).

4. Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


II. Sources and Categories of Personal Data Processed

1. The Controller processes personal data that you have provided directly (in particular through the order form, customer account registration or contact form) and personal data obtained in the course of fulfilling the contractual relationship.

2. The Controller processes the following categories of personal data:

  • Identification data: first name and surname
  • Contact data: delivery and billing address, e-mail address, telephone number
  • Transaction data: information about orders, purchased goods, payment method and delivery method
  • Operational and technical data: IP address, cookies, information about behaviour on the website (only to the extent of consent given for cookies)

3. The Controller does not process special categories of personal data within the meaning of Article 9 GDPR (i.e. data concerning health, racial or ethnic origin, religious beliefs, etc.).


III. Legal Basis and Purpose of Processing Personal Data

The Controller processes personal data on the basis of the following legal grounds:

a) Performance of a contract – Article 6(1)(b) GDPR

Purpose: Processing of your order, conclusion and performance of the purchase contract, handling of complaints, management of customer account.

Scope of data: First name and surname, delivery and billing address, e-mail, telephone number, order information.

Note: Providing this data is a contractual requirement. Without providing it, the contract cannot be concluded or performed.


b) Compliance with a legal obligation – Article 6(1)(c) GDPR

Purpose: Fulfilment of obligations arising from legal regulations, in particular tax and accounting obligations (Act No. 563/1991 Coll., on Accounting; Act No. 235/2004 Coll., on VAT).

Scope of data: Billing data necessary for accounting records and tax documents.


c) Legitimate interests of the Controller – Article 6(1)(f) GDPR

Purpose: Sending commercial communications relating to similar or related goods to existing customers who have not refused such communications (Section 7(3) of Act No. 480/2004 Coll.).

Scope of data: E-mail address.

Legitimate interest: Direct marketing to existing customers. You have the right to object to this processing at any time free of charge (see Article VI of this Policy).


d) Consent of the data subject – Article 6(1)(a) GDPR

Purpose: Sending commercial communications and newsletters to persons who are not existing customers of the Controller, and processing of personal data for analytical and marketing purposes via cookies (to the extent of consent given).

Scope of data: E-mail address and, where applicable, operational and technical data.

Note: Consent is voluntary and may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.


e) Automated decision-making

The Controller does not carry out automated individual decision-making or profiling within the meaning of Article 22 GDPR that would have legal or similarly significant effects on data subjects.


IV. Retention Periods for Personal Data

1. The Controller retains personal data for the period strictly necessary to fulfil the purpose of processing:

Purpose of processing Retention period
Performance of purchase contract, order processing For the duration of the contractual relationship and for a further 3 years after its termination, for the purpose of potential assertion or defence of legal claims
Fulfilment of accounting and tax obligations 10 years from the end of the tax period in which the transaction took place (pursuant to the Accounting Act and the VAT Act)
Direct marketing – legitimate interest (existing customers) For 3 years from the conclusion of the last contract, or until an objection is raised
Direct marketing – consent Until consent is withdrawn, for a maximum of 3 years from the date of consent
Cookies – analytical and marketing Subject to consent settings, typically 1–2 years

2. Upon expiry of the relevant retention period, the Controller will securely delete or anonymise the personal data.


V. Recipients and Processors of Personal Data

1. Personal data may be shared, to the extent strictly necessary, with the following categories of recipients:

  • Carriers and delivery services: for the purpose of delivering ordered goods (e.g. Zásilkovna, Česká pošta, PPL, DPD)
  • E-commerce platform provider: Shoptet a.s., Company ID: 289 35 675, for the purpose of technical operation of the online shop
  • Payment gateway provider: Shoptet Pay / relevant payment service provider, for the purpose of processing payments
  • Accountant / tax adviser: for the purpose of fulfilling the Controller's statutory obligations
  • Marketing and e-mailing tool providers: for the purpose of sending commercial communications (only to the extent of consent given or legitimate interest)
  • Public authorities: where the Controller is required to provide personal data by law (e.g. tax authorities, courts, Police of the Czech Republic)

2. The Controller concludes data processing agreements with processors of personal data pursuant to Article 28 GDPR, which guarantee an appropriate level of protection.

3. The Controller may transfer personal data to third countries (outside the EU/EEA) only where the conditions set out in Chapter V of the GDPR are met – in particular where the European Commission has issued an adequacy decision, or where appropriate safeguards are in place (standard contractual clauses). In particular, data may be transferred to providers of cloud or e-mailing services with servers outside the EU (e.g. Google, Mailchimp). Upon request, the Controller will provide further information about specific recipients and safeguards.


VI. Your Rights as a Data Subject

As a data subject, you have the following rights under the conditions set out in the GDPR:

1. Right of access (Article 15 GDPR) – you have the right to obtain confirmation from the Controller as to whether your personal data is being processed, and if so, to access that data and information about its processing.

2. Right to rectification (Article 16 GDPR) – you have the right to have inaccurate personal data corrected and incomplete personal data completed.

3. Right to erasure ("right to be forgotten") (Article 17 GDPR) – you have the right to have your personal data erased where the conditions set out in Article 17 GDPR are met (e.g. the data is no longer necessary for the purpose for which it was collected; you withdraw consent and there is no other legal basis for processing).

4. Right to restriction of processing (Article 18 GDPR) – you have the right to request restriction of processing of your personal data in the cases set out in Article 18 GDPR.

5. Right to data portability (Article 20 GDPR) – you have the right to receive the personal data you have provided to the Controller in a structured, commonly used and machine-readable format, and the right to transmit that data to another controller.

6. Right to object (Article 21 GDPR) – you have the right to object at any time to the processing of your personal data carried out on the basis of the Controller's legitimate interests (Article 6(1)(f) GDPR), including processing for direct marketing purposes. Following an objection, the Controller will no longer process your personal data for that purpose unless it demonstrates compelling legitimate grounds for the processing.

7. Right to withdraw consent – where processing is based on your consent, you have the right to withdraw that consent at any time, in writing or electronically, to the address or e-mail of the Controller stated in Article I of this Policy. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

8. Right to lodge a complaint – you have the right to lodge a complaint with the supervisory authority:

Office for Personal Data Protection (Úřad pro ochranu osobních údajů) Pplk. Sochora 27, 170 00 Prague 7, Czech Republic Tel.: +420 234 665 111 E-mail: posta@uoou.cz Website: www.uoou.cz

9. Response time: The Controller will respond to your request without undue delay and no later than 1 month from receipt. In exceptional cases (complexity or number of requests), this period may be extended by a further 2 months; you will be informed of any such extension (Article 12(3) GDPR).


VII. Security of Personal Data

1. The Controller declares that it has implemented all appropriate technical and organisational measures to secure personal data in accordance with Article 32 GDPR.

2. Technical measures include in particular:

  • encryption of data transmission via SSL/TLS protocol (HTTPS),
  • securing access to the online shop administration and customer data by password and access controls,
  • regular data backups,
  • use of trusted processors with an appropriate level of security.

3. Organisational measures include in particular:

  • restricting access to personal data to persons who strictly need it for the performance of their duties,
  • informing such persons of their duty of confidentiality and the rules on personal data protection.

4. In the event of a personal data breach likely to result in a high risk to the rights and freedoms of natural persons, the Controller will inform data subjects in accordance with Article 34 GDPR.


VIII. Cookies

1. The Controller's website www.hunter-deco.cz uses cookies. Cookies are small text files stored in your browser when you visit the website.

2. The Controller uses the following types of cookies:

  • Necessary cookies – required for the correct functioning of the website and online shop (login, shopping cart). These cookies do not require consent.
  • Analytical cookies – used to monitor website traffic and user behaviour (e.g. Google Analytics). These are processed only on the basis of your consent.
  • Marketing cookies – used to display relevant advertising. These are processed only on the basis of your consent.

3. You may withdraw or modify your consent to cookies at any time via the cookie settings available on the website or through your browser settings.


IX. Final Provisions

1. By submitting an order through the online order form, you acknowledge that the Controller processes your personal data for the purpose of performing the contract. This processing does not require your consent, as it is based on the legal ground of performance of a contract pursuant to Article 6(1)(b) GDPR.

2. Consent to the processing of personal data for marketing purposes (sending newsletters and commercial communications to persons who are not existing customers) is given by separately ticking the relevant checkbox. This consent is entirely voluntary and withholding it does not affect your ability to conclude a purchase contract.

3. The Controller is entitled to update this Privacy Policy at any time. You will be informed of any material changes by e-mail or by a notice on the website. The current version of the Policy is always available at www.hunter-deco.cz.


This Privacy Policy takes effect on 5 June 2025.